When installing MS Windows NT4/200x on a computer, the installation program creates default users and groups, notably the Administrators group, and gives that group privileges necessary privileges to perform essential system tasks , such as the ability to change the date and time or to kill (or close) any process running on the local machine. The Administrator user is a member of the Administrators group, and thus inherits Administrators group privileges. If a joe user is created to be a member of the Administrators group, joe has exactly the same rights as the user, Administrator . When an MS Windows NT4/200x/XP machine is made a Domain Member, the " Domain Admins " group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Administrators group inherits the rights of the local Administrators group when logging on the workstation. The following steps describe how to make Samba PDC users members of the Domain Admins group?
The quotes around " Domain Admins " are necessary due to the space in the group name . Also make sure to leave no white-space surrounding the equal character (=). Now joe , john and mary are domain administrators. It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as making any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC: root# net groupmap add rid=1000 ntgroup="Accounting" UNIXgroup=acct Be aware that the RID parameter is a unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you. 11.2.1 Default Users, Groups and Relative IdentifiersWhen first installed, Microsoft Windows NT4/200x/XP are preconfigured with certain User, Group, and Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued integrity of operation. Samba must be provisioned with certain essential Domain Groups that require the appropriate RID value. When Samba-3 is configured to use tdbsam the essential Domain Groups are automatically created. It is the LDAP administrators' responsibility to create (provision) the default NT Groups. Each essential Domain Group must be assigned its respective well-kown RID. The default Users, Groups, Aliases, and RIDs are shown in Table 11.1.
It is permissible to create any Domain Group that may be necessary, just make certain that the essential Domain Groups (well known) have been created and assigned its default RID. Other groups you create may be assigned any arbitrary RID you care to use. Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group will be available for use as an NT Domain Group. 11.2.2 Example ConfigurationYou can list the various groups in the mapping database by executing net groupmap list . Here is an example: root# net groupmap list Table 11.1. Well-Known User Default RIDs
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest For complete details on net groupmap , refer to the net(8) man page. |